David Chiang

Excited to share our research on Kernel Streaming! We discovered several vulnerabilities in it that we used at Pwn2Own this year. Check it out: devco.re/blog/2024/08/2…

Thanks @BlackHatEvents for the #BHUSA acceptance! It's pure web hacking research this time! 🔥 However, I'm still not sure if I can enter the US or not. In advance, I reapplied for the VISA and had the interview in March. Two months have passed, and my case is still under review. I really want to be back on stage. Is there any effort or help I can try? 😫

@tmt514 做健康檢查

有什麼辦法可以根治沒事就想吃炸雞或雞排的念頭🫣

I'm probably lagged but just found this website is pretty good for learning kernel exploitation! pawnyable.cafe

#Logout4Shell: Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell bit.ly/3rW2W5x #Log4J #Java #Security

log942j

Last weekend @0rganizers played HITCON CTF and got 4th place🥳. I solved the Chaos series of challenges by @david942j together with @galli_leo_, here is our writeup org.anize.rs/HITCON-2021/pw…. Enjoy!

All my challenges include sources and solutions here: github.com/david942j/ctf-… #HITCONCTF

Last three hours!

I prepared new monsters this year. ctf2021.hitcon.org

Google's Magic Eraser is just mwah. 😂

@BrieflyX Good idea, and seems it's good to collect all kinds of solutions

@david942j I vote for atoms since many teams solved it via unintended bugs. I would like to see how to trigger the real deadlock XD.

Published all the sources and solutions of my challenges for #HITCON CTF 2020: github.com/david942j/ctf-… Which challenge would you most like me to have a writeup 😀?

@JinBlackx groovy!

@david942j If you alloc and then map multiple pages (size > 0x1000) by munmapping pages singularly you get the ref counter below 1. So the cur_pool structure is set free. But the file descriptor is still alive. Then when that chunk is reallocated, by mapping you get a crash (and the flag)

@sampriti0 @BrieflyX Fabulous!

@BrieflyX @david942j If you want a exploit using just the UAF :P gist.github.com/sampritipanda/…

I solved spark in HITCON CTF 2020. The CONFIG_SLAB_FREELIST_HARDENED made it hard to exploit via a single UAF and costs much of my time. Eventually another out-of-bound bug in query algorithm saved me. Thanks to @david942j for 2 interesting kernel chals! github.com/BrieflyX/ctf-p…

@JinBlackx I didn't know there's a UAF bug until now.. And yes there are deadlock bugs.

@david942j quick question about atoms. Is the intended solution a real deadlock? Because we exploited a UAF to crash the kernel. I am not sure the UAF was the intended solution by looking at your code.

:D

Tons of pwnables are waiting for you, as always.

Come to play Google CTF 2020! 43 hours remaining. I'm not the designer but I verified some pwn / reversing / sandbox challenges ;) capturetheflag.withgoogle.com/scoreboard